Hackers have been distributing a malicious version of KeePass for at least eight months, which installs Cobalt Strike, steals passwords, and adds programs that harm the device.
Hackers have been distributing a malicious version of KeePass for at least eight months, which installs Cobalt Strike, steals passwords, and adds programs that harm the device.
Cybercriminals have launched a large-scale campaign to distribute a malicious version of KeePass, a popular password manager. The malware retains the functionality of the original tool, but uploads passwords in plain text and infects computers with ransomware, BleepingComputer reported, citing researchers from WithSecure Threat Intelligence.
The incident began with a regular Bing ad: a user clicked on a link, thinking it would take them to the official KeePass website. Instead, they ended up on a typosquatting site — an almost exact copy of the real resource, but with a different domain.
KeePass is one of the most popular free and open-source password managers. Its openness allows attackers to modify the original code, which is what made this attack possible. Users are advised to download such software only from official websites or trusted sources.
Since KeePass is an open source project, the attackers kept all the core features in the fake version. But they also added the Cobalt Strike beacon, which transmits the password database to the attackers in an unencrypted form. The attackers then used the obtained credentials to infiltrate the corporate network and encrypt the data with ransomware.
WithSecure believes that the attack is being carried out by the UNC4696 group, which is likely part of the Black Basta network, one of the most notorious ransomware distribution operations. The group has also been previously linked to Nitrogen Loader and the now-defunct BlackCat/ALPHV group.
Although only one such case has been confirmed so far, experts warn that the real number of incidents could be higher. At the same time, the malicious site is still active and continues to distribute infected versions of popular software. According to WithSecure, the site is backed by an extensive infrastructure designed to mass distribute malware under the guise of legitimate utilities.
As a reminder, there was a recent large-scale personal data leak. A hacker under the nickname Machine1337 claimed to have obtained the data of 89 million Steam player accounts.
